httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: Security
Date Sat, 21 Sep 2002 22:04:35 GMT
On Sat, 21 Sep 2002, Rich Bowen wrote:

> > > * So, here's the recommendation:
> > >
> > >     chown root.www logs
> > >     chmod 770 logs
> >
> > This goes explicitly against what is documented in the current docs
> > and allow anyone who compromises the "www" group to gain root access
> > to the system.
>
> Can you elaborate as to how that would happen?
>
> The current docs say that the directory should be 755, which would
> prevent ssl from logging. Or so I would have thought. Need to experiment
> with that, I guess.

OK, I stand corrected. Making logs root.root and 750, ssl still creates
its log files quite happily, and they are owned by nobody.root. How it
is doing this, I'm not clear, but I suppose I should go paw through the
source code for that one.

The concern with making the log directory readable, by my paranoid
students, was that a user who gained acces to the server as an
unprivileged user could watch the log files to see the effects of things
that they were trying. Yes, some of these things seem a little overly
paranoid, but that was sort of the point - minimal permission
recommendations, and you can go from there.

-- 
Oh I have slipped the surly bonds of earth
And danced the sky on laughter-silvered wings
 --High Flight (John Gillespie Magee)


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message